4 comments

[ 3.6 ms ] story [ 24.0 ms ] thread
I often wonder about the security of add-ons, and whether training users to install them willy-nilly is a good security practice.

As for this one, I would have been wary due to the way the developer seemed to think 'u' is a word. It's the little things that can tip you off that at least, something might not be of professional quality.

Definitely a bad precedent, but through addons.mozilla.org, it feels no different than the "Android Market" model. I like this quote though:

"Mozilla subsequently confirmed that they had not reviewed this add-on and are currently working on a new security model that will require all add-ons to be code-reviewed before becoming discoverable on addons.mozilla.org."

Which would let me rest easy installing any extensions, as long as they're from addons.mozilla.org, a trusted source.

Yes, it would be much better if the software on addons.mozilla.org was reviewed. As it is, they tell you that it may be unsafe - and considering you see that for every single add on, even ones known to be safe like Firebug, it's as good as no message at all. I've read that there is a nefarious market now for old, forgotten add ons - it's possible to take over development of an add-on, and make an update that is malware. Firefox will then automatically update the software for everyone who has it installed.

I haven't used the Android Market, but I did notice similar treatment for add ons in the Google Desktop Sidebar. I never download the apps they offer there, as again, the warning essentially says anything available could be a dangerous trojan, and nobody from Google has taken the time to check any of them.

When a trusted name offers software, they should at least provide the assurance that it is not malware. Of course, this leads to systems like the App Store and considering how expensive and time consuming the review process could be, I understand why they don't. So, that's great to hear Mozilla is trying to improve this!